Since our 2.0.0 release in March earlier this year we've been busy shaping
the new Cuckoo Package style of releases and further improving a number of
features in Cuckoo. Since 2.0.0 we've somewhat quietly released a
couple of minor versions to fix dozens of bugs.
With the release of 2.0.4 we yet again release a number of important
improvements that will simplify and improve the user experience altogether
while allowing additional functionality to feature more collected information.
Following a number of smaller and bigger changes that come with this new release:
- Malware Configuration Extraction, part 1
- Linux Analysis improvements
- Miscellaneous improvements
- Upcoming features
- Conclusions
Malware Configuration Extraction, part 1
Now that Cuckoo has become the goto solution for generic behavior analysis, the time has come to also focus on more specific payloads and variants. We've included a number of new features in this release to facilitate such functionality.
(BTW, this is part 1 because future blogposts will continue upon it)
Yara integration
Cuckoo now ships with Yara by default after working together with Victor
Manuel Alvarez. As such Yara is not an optional feature anymore. In
the process of integrating we also identified CVE-2017-11328, a heap
overflow in the Yara core that may be triggered through two different
code paths in the .NET module.
Extracted category
We're introducing a new Extracted category, a category that allows
recursive extraction of potentially interesting information. E.g., Cuckoo
reports the command-line for each executed process. Many times, e.g.,
in almost every sample from Unit42's PowerShell blogpost, PowerShell will
be invoked with the -EncodedCommand or -enc parameter, which
accepts a base64-encoded utf16 string that represents the
PowerShell payload.
In such cases we'll naturally want to see the actually executed PowerShell
script rather than the base64. Cuckoo will now extract and analyze the
decoded PowerShell script as if it was a dropped file (now called an
extracted file).
Extractor Signatures
Extractor Signatures operate on Extracted artefacts after they
have been identified by a specialized Yara rule. Such
Extractor's can then generate other extracted files.
PowerShell Yara rules & Extractors
We've added a number of new Yara rules in the Cuckoo Community that can
identify specific PowerShell payloads and, together with Extractor
Signatures, extract x86 shellcode from the PowerShell payloads.
Unicorn Engine integration
After extracting a number of x86 shellcode payloads we came to the conclusion
that they're mostly Metasploit payloads (as far as we saw in the sample set
from the Unit42 blogpost anyway).
Some of these payloads were Shikata ga nai-encoded so we also did basic
integration of Unicorn Engine, a lightweight CPU emulator framework, in
order to decode the encoded shellcode payloads. There's still a bug in
Unicorn Engine though that prevents certain Shikata ga nai
payloads to be properly decoded - feel free to help us out on that matter!
Shellcode Disassembly Framework
While looking for a comprehensive but accurate shellcode disassembly framework
we didn't find much, so we wrote our own, and that's how egghatch was born.
Currently it's only in use for shellcode disassembly representation, but in
the future we suspect the Unicorn Engine-based decoded functionality
may move to egghatch and include a wider array of decoding options
etc.
Metasploit IoC Extraction
Now having access to the plaintext shellcode it is possible to extract certain
IOCs - in particular we'll be interested in seeing where the payload connects,
being it an IP/port combination, a hostname, or a URL. We've added a basic
Yara rule that can identify a couple of Metasploit payloads and
Metasploit Shellcode Signature to extract the IOCs nicely into the final
Cuckoo report.
Following a screenshot of a meterpreter/reverse_tcp payload that was
found inside a Powerfun Injector payload.
Linux Analysis improvements
This release brings many improvements to the Linux Analysis component. Some
new features were merged from pull requests made by the community (thanks to
doomedraven and Bondey!) and some deprecated code was removed from the
codebase (e.g., the missing probelkm kernel module).
For behavioral logging, SystemTap is now the primary method of analysis.
SystemTap provides a convenient way to compile scripts to kernel
modules which can potentially be harder to detect for malware running within
the sandbox than any userland-based analysis components. SystemTap utilizes
the Linux Kprobes interface to hook and log system calls when they occur on
behalf of the analyzed sample.
Following is an example of the behavioral output as displayed by Cuckoo:
Fully logging the environment variables in execve(2) (as compared to
the earlier strace-like [/* X vars */]) is one of the various
SystemTap patches that we've provided to upstream already. Some other
patches and ideas that we've run into are still pending to be released or
pending to be implemented (either by upstream or by us).
The pid following logic that was previously located in the probelkm
kernel module has now been implemented in our SystemTap script. Process
creation and command-line information is now handled by the SystemTap log
parser (one of our Processing modules) and is displayed by Cuckoo as
follows:
Furthermore, the Linux Analyzer has been updated to be compatible with the new Cuckoo Agent version that was already in use on the windows platform. All Linux Analysis components now work out-of-the-box as detailed in the updated Linux Guest Linux Guest installation documentation page.
Some of the other improvements to the linux analysis component include:
- Snapshot loading and KVM support has been added to the QEMU machinery for a significant performance boost.
- The SystemTap regular expression parser has been replaced by a partitioning parser with unit tests for correct parsing behavior.
- The SystemTap parser correctly parses and displays struct and array arguments and error constants.
- The behavioral analysis log skips any system calls made by the analyzer process itself.
- A bug in the QEMU machinery code that could cause a guest image to be nuked without warning has been fixed.
- sflock now supports and recognizes
ELFexecutables and.shscripts. - ELF parsing has been added to the static analysis component (thanks to doomedraven).
With these new improvements we hope to bring new life to the Linux Analysis component of Cuckoo Sandbox and bring it up to speed with its Windows counterpart. Stay tuned!
Miscellaneous tweaks
Other improvements brought to our users in this release:
InetSimsupport works once again as the Cuckoo Rooter has been patched and tested (thanks doomedraven).- Various Unicode-related issues have been resolved and as such Cuckoo should now handle different Unicode filepaths better (both on the Host as well as on the Guest).
- The random files that are generated for each analysis run are now put in the
My Documentsdirectory rather thanDesktopby default, therefore no longer confusing our users (and hopefully this change will not re-confuse you!) Screenshots made by Cuckoo are now not randomized for each analysis. - A potential XSS when submitting a
"specially crafted"URL in the Cuckoo Web Interface has been resolved. Thanks to Roy Kokkelkoren, Niels van Eijck, and Wouter Katz for reporting it.
Upcoming features
It's been a while and our community has been asking for it for a few years
now, but we've finally picked up on official zer0m0n (originally developed
by CONIX Security) integration within Cuckoo Sandbox. Please stay tuned for
the version 2.0.5 release ;-)
Conclusions
This release took longer than expected, but hopefully our users love it as much as we do. Thanks to our great team for putting all of it together.
As you can see we've also updated our website! All your needs should be one click away now.